Twiki Installation Notes 

Ned Brush
4/13/06

Everything is left as is (default settings) unless specified below.

Distribution: RHEL 4

1)	Here are some good references to follow during the installation:
a.	The INSTALL.html file that comes with the tgz file (see next step).  This is the most thorough walk-through of the procedure.
2)	With apache installed, edit /etc/httpd/conf/httpd.conf to make the server inaccessible except through the SSL layer.  I still wanted to have a link from port 80 to the SSL layer (explained later), but I want everything else to visible only through the SSL layer.  Heres what it looks like before:

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

	And heres what it looks like after:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Deny from all
</Directory>

3)	Download latest .tgz file from twiki.org (4.0.2 for this howto)
4)	In the Ubuntu distribution the Twiki tgz needed to be installed as www-data (the www data user).  RHEL does not have that user, so I am trying the apache user first.  RHEL is setup so apache cannot be logged into.  So, I had to go to user manager from roots desktop and set the login shell for apache to /bin/bash (it was /sbin/nologin)  I plan to change that back after everything is installed correctly.
a.	System Settings->Users and Groups.  Under Preferences, uncheck the filter option.  Then change the apache users properties.
5)	The DocumentRoot default for RHEL is /var/www/html so I chose to put the wiki in /var/www/twiki (thus not embedding it above the html, making it a separate entity from the html directory).  I believe it can be moved later.  The httpd conf files for twiki will have to be changed to reflect the move.   So, as root, mkdir /var/www/twiki. 
6)	Next, in order for nobody to install it, that user has to own the directory and the file.  So, still as root, copy the tgz file to the wiki directory.  (By default it went to the Desktop directory).  So, it will look something like this cp /root/Desktop/Twiki-4.0.2.tgz /var/wwwt/wiki  Then change the directory and file ownership.  chown R nobody.nobody /var/www/twiki
7)	Unpack the files tar xvzf Twiki-4.0.2.tgz
8)	cp twiki_httpd_conf.txt twiki_httpd.conf
9)	Next, I edited twiki_httpd.conf and changed all of /home/httpd to /var/www because twiki assumes you will install it at /home/httpd
10)	Next, cd lib; cp Localsite.cfg.txt Localsite.cfg; chmod u+w Localsite.cfg (so we can write to the file); then I set the hostname (currently, I have it set to the IP since we dont have a hostname yet): 
$cfg{DefaultUrlHost} = 'http://128.143.11.61';
	Then, I changed all of /home/httpd to /var/www 
	
11)	Next, cd ../bin; cp LocalLib.cfg.txt LocalLib.cfg; chmod u+w LocalLib.cfg (so we can write to the file; Then, I set the lib path:
$twikiLibPath = "/var/www/twiki/lib";
	
12)	As root user, link the twiki_httpd.conf file (so that apache finds it) ln s /var/www/twiki/twiki_httpd.conf /etc/httpd/conf.d/twiki_httpd.conf
13)	As root, /etc/init.d/httpd restart
14)	Now, you should be able to point any browser at http://128.143.11.61/twiki (or whatever address you are using)
15)	Click on Configure Twiki
16)	Click on the warnings.  For this particular installation, perl was missing the CGI::Session module.  The next few steps show how to install that module.  If you arent missing any modules, skip to the next step.
a.	As root, cpan
b.	I accepted all defaults until server selection
c.	North America->United States->1 2 3 4 5 6
d.	Install CGI::Session
e.	quit
f.	Then I refreshed my browser
17)	Under Localisation: change {DisplayTimeValues} to servertime
18)	If youre only warning is the locale path, I ignored it.  Click Next.
19)	Set a password: current one *****(ask Ned)
20)	At this point, the wiki should be working.  You should be able to create users and edit pages.
21)	To make twiki login based (for the ability to edit pages based on users, not to be confused with apache security)  in the configure script.
a.	Under Security->Authentication->Login Manger: set to Twiki::Client::TemplateLogin
b.	Under Security->Passwords->PasswordManager: set to Twiki::Users::HtPasswdUser
c.	This creates a .htpasswd file in the twiki data directory, used to verify logins
22)	To enable the automated login structure of wiki, an email program needs to be setup.
a.	I had trouble sending email because the hostname venividiwiki.ee.Virginia.edu was not registered so email coming from that domain always got rejected.  I changed it to msl.gotdns.org (my temporary server) and got it to work.  This will need to be changed back to the veni domainname once it is registered.  
i.	I couldnt change it in /etc/sysconfig/network.  That didnt seem to set the hostname, so I used the gui under Applications->System Settings->Network and set the hostname there.
b.	I wanted to use postfix (instead of sendmail) but that is a sysadmin preference.  Either should work fine.  So, I turned off sendmail on reboot and turned on postfix.
i.	Applications->System Settings->Server Settings->Services
1.	uncheck sendmail (and stop it)
2.	check postfix (and start it)
23)	Lastly, we wanted to put the entire twiki on an SSL layer (security) so its all encrypted and we dont have to worry about limiting access based on anything other than users.  The following describes the SSL setup.
a.	Unfortunately, I destroyed the original SSL key that came with the RHEL installation.  Therefore, you may be able to get it to work with that, but these instructions will show you how to create the key and certificate needed.
b.	Here is a good, brief reference on setting up apache and mod_ssl.  I followed it exactly and it worked. http://slacksite.com/apache/certificate.html
c.	As root, I created a directory: mkdir /etc/httpd/conf.d/ssl.wiki  this can really go anywhere.
d.	Within that directory, I followed steps from the reference above:
i.	openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024  (There are four zipped files in that folder to use in place of file1:file2:etc.)
ii.	openssl rsa -in server.key -out server.pem
iii.	openssl req -new -key server.key -out server.csr
iv.	openssl x509 -req days 360 -in server.csr -signkey server.key -out server.crt
v.	in the above command, the days entered will reflect how long the certificate is valid
vi.	This gives you four (4) files server.crt, server.csr, server.key, server.pem
vii.	Because some of these files are no longer encrypted (at least server.pem) you should make sure that they are read-only by root only: chmod 400 * within the ssl.wiki directory
e.	Now we need to edit the twiki_httpd.conf file to put it on the SSL layer.  IMPORTANT: create a user (through twiki) before going to SSL.  Otherwise you wont have a user to login with (you can still revert back to the non-SSL and create a user if you ever have to).
i.	Please refer to the twiki_httpd.conf that should be located somewhere around this file.  It is a good reference.
ii.	I first added a redirect so that users dont have to point their browsers at the https version.  So venividiwiki.ee.virginia.edu/wiki will take them to https://venividiwiki.ee.virginia.edu/twiki/bin/view (which is the main twiki page: 
Redirect /wiki https://venividiwiki.ee.virginia.edu/twiki/bin/view
iii.	Next, I commented the original Directory for bin and pub:
#<Directory "/var/www/twiki/bin">
#        Options +ExecCGI FollowSymLinks
#        SetHandler cgi-script
#        Order Allow,Deny
#        Allow from all
#        Deny from env=anonymous_spider
#</Directory>

#<Directory "/var/www/twiki/pub">
#        Options FollowSymLinks +Includes
#        AllowOverride None
#        Allow from all
#</Directory>
iv.	Then I added the following
<VirtualHost 128.143.11.61:443>
DocumentRoot /var/www
ServerName venividiwiki.ee.virginia.edu
ServerAdmin nbrush@virginia.edu
ErrorLog /var/log/httpd/error.log
TransferLog /var/log/httpd/access.log
SSLEngine on
SSLCertificateFile /etc/httpd/conf.d/ssl.wiki/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl.wiki/server.pem

#### Change the path to match your local installation
<Directory "/var/www/twiki/bin">
        SSLOptions +StdEnvVars
        AuthType Basic
        AuthName "Please enter username & password.  If you have forgotten your password email: evb3m@virginia.edu"
        AuthUserFile /var/www/twiki/data/.htpasswd
        Require valid-user

         Options +ExecCGI FollowSymLinks
         SetHandler cgi-script
        AllowOverride All
         Order allow,deny
#        Allow from 128.143.0.0/16
#       Allow from .virignia.edu
#        Deny from all
        Allow from all

        <FilesMatch "configure*">
                 require user "NedBrush"
        </FilesMatch>

</Directory>

#### Change the path to match your local installation
<Directory "/var/www/twiki/pub">
        SSLOptions +StdEnvVars
        AuthType Basic
        AuthName "Please enter username & password.  If you have forgotten your password email: evb3m@virginia.edu"
        AuthUserFile /var/www/twiki/data/.htpasswd
        Require valid-user

         Options FollowSymLinks +Includes
         AllowOverride None
        Order allow,deny
#       Allow from 128.143.0.0/16
#       Allow from .virginia.edu
#        Deny from all
        Allow from all
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


v.	IMPORTANT: The AuthName above specifies the text that gets displayed in the pop-up that asks for your username and password (in both /bin and /lib).  I included an email address (mine) for people to email if they have forgotten their password.  This should be changed to a more universal address.  
vi.	IMPORTANT: I have set the configure script to only be read by NedBrush, if you want other users to have access, you will have to add them (separated by a space, each name surround by quotes).
vii.	This also is a place to allow only certain users to access the configure script.  It is also where you point to your ssl key and certificate
viii.	I am not sure how the ssl.conf file and the SSL configuration through twiki work, but they werent working together too well, so I commented out several lines in the ssl.conf file.  Please refer to this file as an example (file should be somewhere close by, it should also still be on the server at /etc/httpd/conf.d/ssl.conf).  Here are the lines I commented:
#SSLEngine on
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
ix.	
x.	With SSL, realize that users can no longer access the site at all unless they have a password.  This means that administrators must grant every new user access.  If this becomes a pain, turn off SSL by reverting to the original twiki_httpd.conf   
xi.	Apparently, even though during the RHEL install it claims to turn on a firewall (and we chose ports SSH(22), HTTP(80), and HTTPS(443) to be open), it didnt open 443.  So, we have to do that.  Applications->System Settings->Security Level
1.	Under other ports add:
443:tcp	
24)	Now we need to shore up the actual twiki pages.
a.	You should have already created a username (so that you can log into SSL)
b.	Add at least one user (in my case, I added NedBrush) to TwikiAdminGroup
c.	Set ALLOWTOPICCHANGE = TwikiAdminGroup for the TwikiAdminGroup page.  This makes sure that only users in the Admin group can change the pages that matter.
i.	Do the same for Twiki.TwikiPreferences & Main.TwikiPreferences
25)	If you want to be overly paranoid, you can change a few files to read-only
a.	In /var/www/twiki/bin: chmod u-w LocalLib.cfg
b.	In /var/www/twiki/lib: chmod u-w LocalSite.cfg  This will mean that nobody can write any new configuration files.  So, if you want to change the overall configuration the sysadmin will have to change the permissions back to writable for owner.
26)	Dont forget to go back into the Users & Groups and set the login for apache back to /sbin/nologin
27)	One last thing I have not checked (and this is dependent on the server) but it should be verified that the machine comes back on after a power failure.  It comes up fine after a reboot.  *Edited*: We figured this out.  It was a setting in the BIOS to have the machine turn on whenever AC power is applied.
28)	Lastly, I turned off services that werent going to be used (this is a headless server in the ECE server room).  From GNOME: Applications->System Settings->Server Settings->Services I turned off:
Cups (printing)
Cups-config-daemon (printing config)
ISDN
Mdmonitor (RAID)
Netfs (NFS, SMB, CIFS, NCP)
Nfs
Nfslock
Rpcgssd (nfs related)
Rpcidmapd (nfs related)
29)	 Id like to figure out how to turn gdm off, but I havent had the time.  If you know how (or have time to figure it out), please let one of the AdminGroup people on the wiki know.  Thanks!

